diff options
Diffstat (limited to 'lib/ssl/test/property_test/ssl_eqc_chain.erl')
-rw-r--r-- | lib/ssl/test/property_test/ssl_eqc_chain.erl | 211 |
1 files changed, 115 insertions, 96 deletions
diff --git a/lib/ssl/test/property_test/ssl_eqc_chain.erl b/lib/ssl/test/property_test/ssl_eqc_chain.erl index 8ac8446cab..26bba1fc4a 100644 --- a/lib/ssl/test/property_test/ssl_eqc_chain.erl +++ b/lib/ssl/test/property_test/ssl_eqc_chain.erl @@ -1,19 +1,19 @@ %% %% %CopyrightBegin% -%% -%% Copyright Ericsson AB 2018-2021. All Rights Reserved. -%% +%% +%% Copyright Ericsson AB 2018-2023. All Rights Reserved. +%% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in %% compliance with the License. You should have received a copy of the %% Erlang Public License along with this software. If not, it can be %% retrieved online at http://www.erlang.org/. -%% +%% %% Software distributed under the License is distributed on an "AS IS" %% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See %% the License for the specific language governing rights and limitations %% under the License. -%% +%% %% %CopyrightEnd% %% %% @@ -58,12 +58,14 @@ %%-------------------------------------------------------------------- prop_tls_unordered_path(PrivDir) -> ?FORALL({ClientOptions, ServerOptions}, ?LET(Version, tls_version(), unordered_options(Version, PrivDir)), - try + try [TLSVersion] = proplists:get_value(versions, ClientOptions), - ssl_test_lib:basic_test(ClientOptions, ServerOptions, [{server_type, erlang}, - {client_type, erlang}, - {version, TLSVersion} - ]) + SigAlgs = signature_algs(TLSVersion), + ssl_test_lib:basic_test(SigAlgs ++ ClientOptions, + SigAlgs ++ ServerOptions, [{server_type, erlang}, + {client_type, erlang}, + {version, TLSVersion} + ]) of _ -> true @@ -75,16 +77,18 @@ prop_tls_unordered_path(PrivDir) -> prop_tls_extraneous_path(PrivDir) -> ?FORALL({ClientOptions, ServerOptions}, ?LET(Version, tls_version(), extraneous_options(Version, PrivDir)), - try + try [TLSVersion] = proplists:get_value(versions, ClientOptions), - ssl_test_lib:basic_test(ClientOptions, ServerOptions, [{server_type, erlang}, - {client_type, erlang}, - {version, TLSVersion} - ]) - of + SigAlgs = signature_algs(TLSVersion), + ssl_test_lib:basic_test(SigAlgs ++ ClientOptions, + SigAlgs ++ ServerOptions, [{server_type, erlang}, + {client_type, erlang}, + {version, TLSVersion} + ]) + of _ -> - true - catch + true + catch _:_ -> false end @@ -92,15 +96,17 @@ prop_tls_extraneous_path(PrivDir) -> prop_tls_extraneous_paths() -> ?FORALL({ClientOptions, ServerOptions}, ?LET(Version, tls_version(), extra_extraneous_options(Version)), - try + try [TLSVersion] = proplists:get_value(versions, ClientOptions), - ssl_test_lib:basic_test(ClientOptions, ServerOptions, [{server_type, erlang}, - {client_type, erlang}, - {version, TLSVersion} - ]) + SigAlgs = signature_algs(TLSVersion), + ssl_test_lib:basic_test(SigAlgs ++ ClientOptions, + SigAlgs ++ ServerOptions, [{server_type, erlang}, + {client_type, erlang}, + {version, TLSVersion} + ]) of - _ -> - true + _ -> + true catch _:_ -> false @@ -109,15 +115,17 @@ prop_tls_extraneous_paths() -> prop_tls_extraneous_and_unordered_path() -> ?FORALL({ClientOptions, ServerOptions}, ?LET(Version, tls_version(), unordered_extraneous_options(Version)), - try + try [TLSVersion] = proplists:get_value(versions, ClientOptions), - ssl_test_lib:basic_test(ClientOptions, ServerOptions, [{server_type, erlang}, - {client_type, erlang}, - {version, TLSVersion} - ]) + SigAlgs = signature_algs(TLSVersion), + ssl_test_lib:basic_test(SigAlgs ++ ClientOptions, + SigAlgs ++ ServerOptions, [{server_type, erlang}, + {client_type, erlang}, + {version, TLSVersion} + ]) of - _ -> - true + _ -> + true catch _:_ -> false @@ -128,13 +136,16 @@ prop_client_cert_auth() -> ?FORALL({ClientOptions, ServerOptions}, ?LET(Version, tls_version(), client_cert_auth_opts(Version)), try [TLSVersion] = proplists:get_value(versions, ClientOptions), - ssl_test_lib:basic_test(ClientOptions, ServerOptions, [{server_type, erlang}, - {client_type, erlang}, - {version, TLSVersion} - ]) + SigAlgs = signature_algs(TLSVersion), + ssl_test_lib:basic_test(SigAlgs ++ ClientOptions, + SigAlgs ++ ServerOptions, + [{server_type, erlang}, + {client_type, erlang}, + {version, TLSVersion} + ]) of - _ -> - true + _ -> + true catch _:_ -> false @@ -146,24 +157,24 @@ prop_client_cert_auth() -> %%-------------------------------------------------------------------- tls_version() -> Versions = [Version || Version <- ['tlsv1.3', 'tlsv1.2', 'tlsv1.1', 'tlsv1', 'dtlsv1.2', 'dtlsv1'], - ssl_test_lib:sufficient_crypto_support(Version) + ssl_test_lib:sufficient_crypto_support(Version) ], oneof(Versions). key_alg(Version) when Version == 'tlsv1.3'; Version == 'tlsv1.2'; Version == 'dtlsv1.2'-> - oneof([rsa, ecdsa]); + oneof([rsa, ecdsa]); key_alg(_) -> oneof([rsa]). server_options('tlsv1.3') -> - [{verify, verify_peer}, - {fail_if_no_peer_cert, true}, + [{verify, verify_peer}, + {fail_if_no_peer_cert, true}, {reuseaddr, true}]; server_options(_) -> - [{verify, verify_peer}, - {fail_if_no_peer_cert, true}, + [{verify, verify_peer}, + {fail_if_no_peer_cert, true}, {reuse_sessions, false}, {reuseaddr, true}]. @@ -184,28 +195,28 @@ unordered_der_cert_chain_opts(Version, Alg) -> client_config := ClientConf} = public_key:pkix_test_data(#{server_chain => #{root => root_key(Alg), intermediates => intermediates(Alg, 4), peer => peer_key(Alg)}, - client_chain => #{root => root_key(Alg), + client_chain => #{root => root_key(Alg), intermediates => intermediates(Alg, 4), - peer => peer_key(Alg)}}), - {client_options(Version) ++ [protocol(Version), {versions, [Version]} | unordered_der_conf(ClientConf)], - server_options(Version) ++ [protocol(Version), {versions, [Version]} | unordered_der_conf(ServerConf)]}. + peer => peer_key(Alg)}}), + {client_options(Version) ++ [protocol(Version), {versions, [Version]} | unordered_der_conf(ClientConf)], + server_options(Version) ++ [protocol(Version), {versions, [Version]} | unordered_der_conf(ServerConf)]}. unordered_pem_cert_chain_opts(Version, Alg, PrivDir) -> Index = integer_to_list(erlang:unique_integer()), DerConfig = public_key:pkix_test_data(#{server_chain => #{root => root_key(Alg), intermediates => intermediates(Alg, 4), peer => peer_key(Alg)}, - client_chain => #{root => root_key(Alg), + client_chain => #{root => root_key(Alg), intermediates => intermediates(Alg, 4), - peer => peer_key(Alg)}}), + peer => peer_key(Alg)}}), ClientBase = filename:join(PrivDir, "client_prop_test" ++ Index), - SeverBase = filename:join(PrivDir, "server_prop_test" ++ Index), + SeverBase = filename:join(PrivDir, "server_prop_test" ++ Index), PemConfig = x509_test:gen_pem_config_files(DerConfig, ClientBase, SeverBase), ClientConf = proplists:get_value(client_config, PemConfig), ServerConf = proplists:get_value(server_config, PemConfig), - {client_options(Version) ++ [protocol(Version), {versions, [Version]} | unordered_pem_conf(ClientConf)], - server_options(Version) ++ [protocol(Version), {versions, [Version]} | unordered_pem_conf(ServerConf)]}. + {client_options(Version) ++ [protocol(Version), {versions, [Version]} | unordered_pem_conf(ClientConf)], + server_options(Version) ++ [protocol(Version), {versions, [Version]} | unordered_pem_conf(ServerConf)]}. unordered_der_conf(Config) -> Cert = proplists:get_value(cert, Config), @@ -253,101 +264,101 @@ client_cert_auth_opts(Version) -> ?LET({SAlg, CAlg}, {key_alg(Version), key_alg(Version)}, der_cert_chains(Version, CAlg,SAlg)). extraneous_der_cert_chain_opts(Version, Alg) -> - #{cert := OrgSRoot} = SRoot = public_key:pkix_test_root_cert("OTP test server ROOT", root_key(Alg)), - #{cert := OrgCRoot} = CRoot = public_key:pkix_test_root_cert("OTP test client ROOT", root_key(Alg)), + #{cert := OrgSRoot} = SRoot = public_key:pkix_test_root_cert("OTP test server ROOT", root_key(Alg)), + #{cert := OrgCRoot} = CRoot = public_key:pkix_test_root_cert("OTP test client ROOT", root_key(Alg)), #{server_config := ServerConf0, client_config := ClientConf0} = public_key:pkix_test_data(#{server_chain => #{root => SRoot, intermediates => intermediates(Alg, 1), peer => peer_key(ecdsa)}, - client_chain => #{root => CRoot, + client_chain => #{root => CRoot, intermediates => intermediates(Alg, 1), peer => peer_key(ecdsa)}}), - + {ClientChain, ClientRoot} = extraneous_chain_and_root(ClientConf0, "OTP test client ROOT", 1), {ServerChain, ServerRoot} = extraneous_chain_and_root(ServerConf0, "OTP test server ROOT", 1), - - {client_options(Version) ++ [protocol(Version), {versions, [Version]} | - extraneous_der_conf(ClientChain, ServerRoot, [OrgSRoot], ClientConf0)], - server_options(Version) ++ [protocol(Version), {versions, [Version]} | - extraneous_der_conf(ServerChain, ClientRoot, [OrgCRoot], ServerConf0)]}. + + {client_options(Version) ++ [protocol(Version), {versions, [Version]} | + extraneous_der_conf(ClientChain, ServerRoot, [OrgSRoot], ClientConf0)], + server_options(Version) ++ [protocol(Version), {versions, [Version]} | + extraneous_der_conf(ServerChain, ClientRoot, [OrgCRoot], ServerConf0)]}. extraneous_pem_cert_chain_opts(Version, Alg, PrivDir) -> - #{cert := OrgSRoot} = SRoot = public_key:pkix_test_root_cert("OTP test server ROOT", root_key(Alg)), - #{cert := OrgCRoot} = CRoot = public_key:pkix_test_root_cert("OTP test client ROOT", root_key(Alg)), + #{cert := OrgSRoot} = SRoot = public_key:pkix_test_root_cert("OTP test server ROOT", root_key(Alg)), + #{cert := OrgCRoot} = CRoot = public_key:pkix_test_root_cert("OTP test client ROOT", root_key(Alg)), #{server_config := ServerConf0, client_config := ClientConf0} = public_key:pkix_test_data(#{server_chain => #{root => SRoot, intermediates => intermediates(Alg, 1), peer => peer_key(ecdsa)}, - client_chain => #{root => CRoot, + client_chain => #{root => CRoot, intermediates => intermediates(Alg, 1), peer => peer_key(ecdsa)}}), {ClientChain, ClientRoot} = extraneous_chain_and_root(ClientConf0, "OTP test client ROOT", 1), {ServerChain, ServerRoot} = extraneous_chain_and_root(ServerConf0, "OTP test server ROOT", 1), - + %% Only use files in final step - {client_options(Version) ++ [protocol(Version), {versions, [Version]} | - extraneous_pem_conf(ClientChain, ServerRoot, OrgSRoot, ClientConf0, PrivDir)], - server_options(Version) ++ [protocol(Version), {versions, [Version]} | - extraneous_pem_conf(ServerChain, ClientRoot, OrgCRoot, ServerConf0, PrivDir)]}. + {client_options(Version) ++ [protocol(Version), {versions, [Version]} | + extraneous_pem_conf(ClientChain, ServerRoot, OrgSRoot, ClientConf0, PrivDir)], + server_options(Version) ++ [protocol(Version), {versions, [Version]} | + extraneous_pem_conf(ServerChain, ClientRoot, OrgCRoot, ServerConf0, PrivDir)]}. extra_extraneous_der_cert_chain_opts(Version, Alg) -> - #{cert := OrgSRoot} = SRoot = public_key:pkix_test_root_cert("OTP test server ROOT", root_key(Alg)), - #{cert := OrgCRoot} = CRoot = public_key:pkix_test_root_cert("OTP test client ROOT", root_key(Alg)), + #{cert := OrgSRoot} = SRoot = public_key:pkix_test_root_cert("OTP test server ROOT", root_key(Alg)), + #{cert := OrgCRoot} = CRoot = public_key:pkix_test_root_cert("OTP test client ROOT", root_key(Alg)), #{server_config := ServerConf0, client_config := ClientConf0} = public_key:pkix_test_data(#{server_chain => #{root => SRoot, intermediates => intermediates(Alg, 3), peer => peer_key(ecdsa)}, - client_chain => #{root => CRoot, + client_chain => #{root => CRoot, intermediates => intermediates(Alg, 3), peer => peer_key(ecdsa)}}), - - + + {ClientChain0, ClientRoot0} = extraneous_chain_and_root(ClientConf0, "OTP test client ROOT", 2), {ServerChain0, ServerRoot0} = extraneous_chain_and_root(ServerConf0, "OTP test server ROOT", 2), - + {ClientChain1, ClientRoot1} = extraneous_chain_and_root(ClientConf0, "OTP test client ROOT", 2), {ServerChain1, ServerRoot1} = extraneous_chain_and_root(ServerConf0, "OTP test server ROOT", 2), - + {ClientChain, ServerChain} = create_extraneous_chains(ClientChain0, ClientChain1, ServerChain0, ServerChain1), - {client_options(Version) ++ [protocol(Version), {versions, [Version]} | - extraneous_der_conf(ClientChain, ServerRoot1, [OrgSRoot, ServerRoot0], ClientConf0)], - server_options(Version) ++ [protocol(Version), {versions, [Version]} | - extraneous_der_conf(ServerChain, ClientRoot1, [OrgCRoot, ClientRoot0], ServerConf0)]}. + {client_options(Version) ++ [protocol(Version), {versions, [Version]} | + extraneous_der_conf(ClientChain, ServerRoot1, [OrgSRoot, ServerRoot0], ClientConf0)], + server_options(Version) ++ [protocol(Version), {versions, [Version]} | + extraneous_der_conf(ServerChain, ClientRoot1, [OrgCRoot, ClientRoot0], ServerConf0)]}. der_extraneous_and_unorder_chain(Version, Alg) -> - #{cert := OrgSRoot} = SRoot = public_key:pkix_test_root_cert("OTP test server ROOT", root_key(Alg)), - #{cert := OrgCRoot} = CRoot = public_key:pkix_test_root_cert("OTP test client ROOT", root_key(Alg)), + #{cert := OrgSRoot} = SRoot = public_key:pkix_test_root_cert("OTP test server ROOT", root_key(Alg)), + #{cert := OrgCRoot} = CRoot = public_key:pkix_test_root_cert("OTP test client ROOT", root_key(Alg)), #{server_config := ServerConf0, - client_config := ClientConf0} = + client_config := ClientConf0} = public_key:pkix_test_data(#{server_chain => #{root => SRoot, intermediates => intermediates(Alg, 3), peer => peer_key(ecdsa)}, - client_chain => #{root => CRoot, + client_chain => #{root => CRoot, intermediates => intermediates(Alg, 3), peer => peer_key(ecdsa)}}), {ClientChain0, ClientRoot0} = chain_and_root(ClientConf0), {ServerChain0, ServerRoot0} = chain_and_root(ServerConf0), - + {ClientChain1, ClientRoot1} = extraneous_chain_and_root(ClientConf0, "OTP test client ROOT", 2), {ServerChain1, ServerRoot1} = extraneous_chain_and_root(ServerConf0, "OTP test server ROOT", 2), - + {ClientChain, ServerChain} = create_extraneous_and_unorded(ClientChain0, ClientChain1, ServerChain0, ServerChain1), - - {client_options(Version) ++ [protocol(Version), {versions, [Version]} | - extraneous_der_conf(ClientChain, ServerRoot1, [OrgSRoot, ServerRoot0], ClientConf0)], - server_options(Version) ++ [protocol(Version), {versions, [Version]} | - extraneous_der_conf(ServerChain, ClientRoot1, [OrgCRoot, ClientRoot0], ServerConf0)]}. + + {client_options(Version) ++ [protocol(Version), {versions, [Version]} | + extraneous_der_conf(ClientChain, ServerRoot1, [OrgSRoot, ServerRoot0], ClientConf0)], + server_options(Version) ++ [protocol(Version), {versions, [Version]} | + extraneous_der_conf(ServerChain, ClientRoot1, [OrgCRoot, ClientRoot0], ServerConf0)]}. der_cert_chains(Version, CAlg, SAlg) -> SRoot = public_key:pkix_test_root_cert("OTP test server ROOT", root_key(SAlg)), @@ -384,7 +395,7 @@ extraneous_der_conf(Chain, NewRoot, OrgRoots,Config0) -> CaCerts = proplists:get_value(cacerts, Config0), Config1 = [{cert, Chain} | proplists:delete(cert, Config0)], [{cacerts, [NewRoot | CaCerts -- OrgRoots]} | proplists:delete(cacerts, Config1)]. - + extraneous_pem_conf(Chain, NewRoot, OldRoot, Config0, PrivDir) -> Int = erlang:unique_integer(), FileName = filename:join(PrivDir, "prop_test" ++ integer_to_list(Int)), @@ -409,7 +420,7 @@ create_extraneous_chains([Client, _CCA0, _CCA1, CCA2, _CCA3], [Client, OCCA0, OC create_extraneous_and_unorded([Client, _CCA0, _CCA1, CCA2, _CCA3], [Client, OCCA0, OCCA1, OCCA2, OCROOT], [Server, _SCA0, _SCA1, SCA2, _SROOT], [Server, OSCA0, OSCA1, OSCA2, OSROOT]) -> {[Client, OCCA0, CCA2, OCCA2, OCROOT, OCCA1], [Server, OSCA0, SCA2, OSCA2, OSROOT, OSCA1]}. - + root_key(ecdsa) -> [{key,{namedCurve, ?secp256r1}}]; %% Use a curve that will be default supported in all TLS versions root_key(rsa) -> @@ -436,8 +447,16 @@ hardcode_rsa_keys([Head | Tail], N, Acc) -> new_intermediat(CA0, Key) -> OTPCert = public_key:pkix_decode_cert(CA0, otp), - TBSCert = OTPCert#'OTPCertificate'.tbsCertificate, + TBSCert = OTPCert#'OTPCertificate'.tbsCertificate, Num = TBSCert#'OTPTBSCertificate'.serialNumber, - public_key:pkix_sign(TBSCert#'OTPTBSCertificate'{serialNumber = Num+1}, Key). + public_key:pkix_sign(TBSCert#'OTPTBSCertificate'{serialNumber = Num+1}, Key). + +signature_algs('tlsv1.3') -> + [ssl_test_lib:all_sig_algs()]; +signature_algs(Version) when Version == 'tlsv1.2'; + Version == 'dtlsv1.2' -> + [ssl_test_lib:all_1_2_sig_algs()]; +signature_algs(_) -> + []. |